-----------------------------------
一、前言
二、环境
三、原理模式
四、案例配置
案例1.更改apache默认主站点路径
案例2.添加apache非标准端口
案例3.本地普通用户访问ftp
案例4.访问samba
-----------------------------------
一、前言
SELinux(Security-Enhanced Linux),即安全强化的linux之意,是美国国家安全局(NSA)对于强制访问控制(MAC)的实现,是 Linux历史上最杰出的新安全子系统。NSA是在Linux社区的帮助下开发了一种访问控制体系,在这种访问控制体系的限制下,进程只能访问那些在他的任务中所需要文件。也即是为了防止内部人员的误操作。
二、环境
系统:CentOS6.4 32位
IP:192.168.2.20/24
软件包:
setroubleshoot.i686
setroubleshoot-server.i686 查看SELinux日志的程序
setroubleshoot-plugins.noarch
三、原理模式
安全上下文:
identify:role:type
身份标识:角色:类型
在默认的targeted策略中,identify与role基本上是不重要的,重要的在于type字段,基本上,一个主题进程能不能读取到这个文件资源与类型字段有关。
关闭防火墙,打开SELinux(需要重启)
# vim /etc/selinux/config 7 SELINUX=enforcing 11 SELINUXTYPE=targeted
四、案例配置
案例1.更改apache默认主站点路径
# getenforce Enforcing# yum install setroubleshoot-server //查看SELinux日志的程序# vim /etc/httpd/conf/httpd.conf //更改apache默认主站点路径 292 #DocumentRoot "/var/www/html" 293 DocumentRoot "/abc"# mkdir /abc# service httpd start# echo Welcome>/abc/index.html # ll -Z /abc/index.html -rw-r--r--. root root unconfined_u:object_r:default_t:s0 /abc/index.html # ll -Z /var/www/html/index.html //查看默认主站点的安全上下文-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html # ps auxZ |grep httpd //查看apache进程的安全上下文unconfined_u:system_r:httpd_t:s0 root 2630 0.2 0.3 12016 3332 ? Ss 20:22 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 2633 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 2634 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 2635 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 2636 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 2637 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 2638 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 2639 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpdunconfined_u:system_r:httpd_t:s0 apache 2640 0.0 0.2 12016 2144 ? S 20:22 0:00 /usr/sbin/httpdunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2644 1.0 0.0 4356 732 pts/0 S+ 20:23 0:00 grep httpd
浏览器访问http://192.168.2.20/index.html
# tail -f /var/log/audit/audit.log //查看日志,此日志信息量较大,不易查找,但很详细。# tail -f /var/log/messages //查看日志May 19 23:50:54 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /abc/index.html. For complete SELinux messages. run sealert -l c8e46bf3-72a3-40ba-ac72-e345f65f7ff1# sealert -l c8e46bf3-72a3-40ba-ac72-e345f65f7ff1 //查看错误日志具体信息及处理方法# chcon -R -h -t httpd_sys_content_t /abc/index.html //重设安全上下文# ll -Z /abc/index.html -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /abc/index.html
案例2.添加apache非标准端口
# vim /etc/httpd/conf/httpd.conf //添加apache非标准端口 137 Listen 800# service httpd restart //启动失败 Stopping httpd: [ OK ]Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:8000(13)Permission denied: make_sock: could not bind to address 0.0.0.0:8000no listening sockets available, shutting downUnable to open logs [FAILED]# tail -f /var/log/messages //查看日志May 18 23:56:14 localhost setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l ef4d32e8-4325-4595-a119-f048aa9c4d24# tail -f /var/log/audit/audit.log # man semanage //查看semanage用法# semanage port -l |grep httphttp_cache_port_t tcp 3128, 8080, 8118, 8123, 10001-10010http_cache_port_t udp 3130http_port_t tcp 80, 443, 488, 8008, 8009, 8443pegasus_http_port_t tcp 5988pegasus_https_port_t tcp 5989# semanage port -a -t http_port_t -p tcp 800 //添加非标准端口# semanage port -l |grep http_port_thttp_port_t tcp 800, 80, 443, 488, 8008, 8009, 8443# service httpd restartStopping httpd: [ OK ]Starting httpd: [ OK ][root@localhost ~]# netstat -tupln |grep httptcp 0 0 :::80 :::* LISTEN 3117/httpd tcp 0 0 :::800 :::* LISTEN 3117/httpd
案例3.本地普通用户访问ftp
# service vsftpd start# ftp 127.0.0.1 //本地普通用户登录Connected to 127.0.0.1 (127.0.0.1).220 (vsFTPd 2.2.2)Name (127.0.0.1:root): nuo331 Please specify the password.Password:500 OOPS: cannot change directory:/home/nuo //登录失败Login failed. # tail -f /var/log/messages //查看日志及相关解决意见# getsebool -a |grep ftp //查询与ftp有关的布尔值allow_ftpd_anon_write --> offallow_ftpd_full_access --> offallow_ftpd_use_cifs --> offallow_ftpd_use_nfs --> offftp_home_dir --> offftpd_connect_db --> offftpd_use_passive_mode --> offhttpd_enable_ftp_server --> offtftp_anon_write --> off# setsebool -P ftp_home_dir on //打开ftp家目录的布尔值# getsebool -a |grep ftpallow_ftpd_anon_write --> offallow_ftpd_full_access --> offallow_ftpd_use_cifs --> offallow_ftpd_use_nfs --> offftp_home_dir --> onftpd_connect_db --> offftpd_use_passive_mode --> offhttpd_enable_ftp_server --> offtftp_anon_write --> off# ftp 127.0.0.1 //再次访问Connected to 127.0.0.1 (127.0.0.1).220 (vsFTPd 2.2.2)Name (127.0.0.1:root): nuo331 Please specify the password.Password:230 Login successful. //登录成功
案例4.访问samba
# chcon -R -t samba_share_t /abc/ //能进入公共目录下(/abc)# ll -dZ /abcdrwxr-xr-x. root root system_u:object_r:samba_share_t:s0 /abc# setsebool -P samba_enable_home_dirs on //能进入普通用户的家目录下(/home/nuo)# ll -dZ /home/nuo/drwx------. nuo nuo unconfined_u:object_r:user_home_dir_t:s0 /home/nuo/